Intent to Ship - sandbox-"allow-downloads"

Intent to Ship - sandbox-"allow-downloads" Summary: Firefox 82 will start to block downloads that are initiated by sandboxed iframes unless the embedder has opted in via setting the “allow-download” sandbox-flag. Bug: Bugzilla 1558394 Standa

Intent to Ship - Support XCTO: nosniff for navigations

Currently the Support for “X-Content-Type-Options: nosniff“ is limited to CSS and JS resources. In Firefox 70 I intend to enable nosniff support for page navigations by default. If a server's response does not include any mime-type but sets the response header "XCTO: nosniff" then Firefox will pro

Intent to Implement- Double-keyed HTTP cache

Intent to Implement- Double-keyed HTTP cache Summary: Currently Browsers are vulnerable to cache-timing attacks, commonly referred to as XS Leaks attacks. Starting with Firefox 70 we want to explore a double-keyed HTTP cache. Instead of solely using the origin of the resource, we will double key

Intent to unship: CSP “require-sri-for” Support

Summary: In bug 1386214 we are planning to remove the Code for the "require-sri-for” CSP directive. The “require-sri-for” directive allows developers to block resource requests that do not contain integrity metadata. Please note that the entire code has always been behind a pref (security.csp.ex